Using counters and a table to protect data in a storage device

ABSTRACT

Provided are a system, memory controller, and method for using counters and a table to protect data in a storage device. Upon initiating operations to modify a file in the storage device, a storage write counter is incremented in response to initiating the operations to modify the file. In response to incrementing the storage write counter, write table operations are initiated including setting a table write counter to a storage write counter and setting a table commit counter to the storage commit counter plus a value. The operation to modify the file in response to completing the write table operations. The system commit counter is incremented by the value in response to completing the operation to modify the file.

TECHNICAL FIELD

Embodiments described herein generally relate to protecting data in astorage device and managing failure recovery to protect data stored innon-volatile storage devices.

BACKGROUND

A secure execution environment may utilize a monotonic counter toprotect against replay attacks. For monotonic counters whose values areincremented, once the count value changes to a higher number, it shouldnot subsequently exhibit a lower value.

It is an important feature of a monotonic counter that it maintains itsvalue across power cycle events so that a replay attack that results ina power cycle event may not alter the monotonic counter.

There is a need in the art for improved techniques for maintainingmonotonic counters to protect from replay attacks.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments are described by way of example, with reference to theaccompanying drawings, which are not drawn to scale, in which likereference numerals refer to similar elements.

FIG. 1 illustrates an embodiment of a storage device.

FIG. 2 illustrates an embodiment of a table used to protect from replayattacks.

FIG. 3 illustrates an embodiment of a file entry in the table of FIG. 2.

FIG. 4 illustrates an embodiment of operations to modify a protectedfile in the storage device.

FIG. 5 illustrates an embodiment of operations to perform a power-onevent sequence to recover from a power failure.

FIG. 6 illustrates an embodiment of table write operations performedduring the operations to modify a file.

FIG. 7 illustrates an embodiment of set error state operations toperform during a failure recovery.

FIG. 8 illustrates a system in which the storage device of claim 1 maybe deployed.

DESCRIPTION OF EMBODIMENTS

For current Serial Peripheral Interface (SPI) flash devices, it is notpossible to guarantee that when modifying protected data that theoperations of writing the data and writing the incremented monotoniccounter are indivisible or atomic operations. In current devices, ifthere is a power failure or other error that occurs, then the operationsof the data write and or monotonic counter update may not occurindivisibly.

Described embodiments provide two monotonic counters to track a write toprotected data, including a write counter incremented before a write toan anti-replay table and a commit counter incremented after the data iswritten. At most times these two counters have the same value. When anew replay protected data operation is performed, the write counter maybe incremented first, then the anti-replay table updated, and the commitcounter incremented next. If there is no failure during these threeoperations, then the two counters have the same value.

If there is a power failure between any of the above operations, arecovery operation is performed when the two monotonic counters aremismatched. If it is determined that the failure occurred within thecontext of the file modification operations, then the counters may beset to values as if the write that was occurring during the failure didnot occur. If it cannot be determined using the two counters that thefailure occurred within the flow of file modification operations, thenall the counters and table are reset because of the potential for areplay attack having resulted in a condition where the failure cannot beplaced within the flow of the file modification operations.

In the following description, numerous specific details such as logicimplementations, opcodes, means to specify operands, resourcepartitioning/sharing/duplication implementations, types andinterrelationships of system components, and logicpartitioning/integration choices are set forth in order to provide amore thorough understanding of the present invention. It will beappreciated, however, by one skilled in the art that the invention maybe practiced without such specific details. In other instances, controlstructures, gate level circuits and full software instruction sequenceshave not been shown in detail in order not to obscure the invention.Those of ordinary skill in the art, with the included descriptions, willbe able to implement appropriate functionality without undueexperimentation.

References in the specification to “one embodiment,” “an embodiment,”“an example embodiment,” etc., indicate that the embodiment describedmay include a particular feature, structure, or characteristic, butevery embodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Certain embodiments relate to storagedevices electronic assemblies. Embodiments include both devices andmethods for forming electronic assemblies.

FIG. 1 illustrates an embodiment of a storage device 100 including anon-volatile memory controller 102 to perform read, write and failurerecovery operations with respect to a memory storage array 104. Thestorage device 100 may comprise a flash device, an SPI flash device, asolid state storage drive (SSD), a flash controller and flash device(e.g., NAND or NOR), and other read/write storage type devices, such asa memory device, disk drive, etc.

The memory storage array 104 may comprise electrically erasable andnon-volatile memory cells, such as flash storage devices. For instance,the memory storage array 104 may comprise NAND dies of memory cells. Inone embodiment, the NAND dies may comprise a multilevel cell (MLC) NANDflash memory that in each cell records two bit values, a lower bit valueand an upper bit value. Alternatively, the NAND dies may comprise singlelevel cell (SLC) memories. The storage array 104 may also comprise, butis not limited to, MLC NAND flash memory, ferroelectric random-accessmemory (FeTRAM), nanowire-based non-volatile memory, three-dimensional(3D) crosspoint memory such as phase change memory (PCM), memory thatincorporates memristor technology, Magnetoresistive random-access memory(MRAM), Spin Transfer Torque (STT)-MRAM, a single level cell (SLC) Flashmemory and other electrically erasable programmable read only memory(EEPROM) type devices.

The controller 102 includes a security engine 106 to protect certainsystem data maintained in a table 200 having information to protectfiles indicated in the table against attacks, such as anti-replayattacks. The table 200 includes entries for files that are to beprotected against anti-replay attacks. To protect the files identifiedin the table 200, the security engine 106 maintains a storage writecounter 108 incremented when a modification of a file indicated in thetable 200 is completed. A file modification operation may comprise anoperation to update, create or delete a file. The security engine 106uses a protected real time clock 112, not accessible to any externalhosts, to provide a clock time to use during data protection operations.The counters 108, 110 may be considered as monotonic counters used toprotect against replay attacks. The counters 108, 110 and table 200 maybe implemented in the storage device 100, such as in the hardware of thecontroller 102 and/or the storage array 104, or a component external tothe storage device 100, such as an interface component.

FIG. 2 illustrates an embodiment of the anti-replay table 200 asincluding a security header 202; a table write counter 204; a tablecommit counter 206; accumulated credits 208 to determine whether writesmay proceed to the table 200; a modified file name 210 of a file beingmodified; a modification operation 212 indicating a modify operationbeing performed on the file 210; a pre-modification file write counter214 indicating a file 210 write counter before the current modificationoperation; a table time last modified 216 indicating the protected realtime clock 112 value when the table 200 was last modified; a tableoperation status 218 indicating whether the last operation has an errorstate after performing a power event routine of FIG. 5; and file entries300 providing an entry for each protected file in the storage 104.

FIG. 3 illustrates an embodiment of an instance of a file entry 300, forone protected file, which includes the file name 302, a file writecounter 304 comprising the storage write counter 108 value when the fileis updated, and a file time last modified 306 indicating the real timeclock 112 value when the file was last modified.

FIG. 4 illustrates an embodiment of operations performed by the securityengine 106 to initiate an operation to modify a protected file in thestorage 104 for which information is maintained in the table 200. If (atblock 401) the number of accumulated credits 208 for the table 200 issufficient for the requested modification operations to be performedwith respect to the table 200, then control proceeds to block 402 tocontinue processing the modification, otherwise fail is returned (atblock 403) to the modification request. If (at block 401) there aresufficient number of credits 208, then the storage write counter 108 isincremented (at block 402) and a series of write table operation 404 areinitiated. In one embodiment, all the write table operations 404-408must successfully complete in order for the write table operations tocomplete, i.e., they comprise an atomic operation. If one of theoperations 404-408 fails to complete, then all the operations fail.

As part of the write table operations 404, the security engine 106 sets(at block 405) the table write counter 204 to the storage write counter108 and sets (at block 406) the table commit counter 208 to the storagecommit counter 210 plus a value, such as one. A credit adjustment isdetermined (at block 407) based on a time the table was last modified216 and the accumulated credits 208 for the table are updated (at block408) by the determined adjustment. In one embodiment the creditadjustment may comprise a difference of the current time as indicated bythe clock 112 minus the table time last modified 216 and that differencemultiplied by credit adjustment rate, which indicates a rate at which anadditional credit are assigned per unit of time if no updates arereceived during that unit of time.

If all the operations 405-408 complete successfully, then the securityengine 106 performs an operation (at block 409) to modify the file ifthe write table operations 405 are completed. If the write tableoperations 405 are not all completed, then the write would fail. Thestorage commit counter 110 is incremented (at block 410) by the value,e.g., one, in response to completing the operation to modify the file.

FIG. 5 illustrates operations the security engine 106 performs upon thestorage device 100 experiencing a power-on event. Upon initiating (atblock 500) the power-on event sequence, the security engine 106determines (at block 501) whether the table write 204 and commit 206counters are equal to the storage write 108 and commit 110 counters,respectively If (at block 501) they are equal, then writes to theprotected files indicated in the table 200 may proceed (at block 502).If they are not equal, then a recovery operation needs to be performedat the following operations from block 503 to determine where thefailure occurred in the file modification process flow.

At block 503, the security engine 106 determines whether the failureoccurred after incrementing the storage write counter 108 withoutcompleting the write table operations 404. The determination that thefailure occurred after incrementing the storage write counter 108 andbefore completing the write table operations 404 may be determined whenthe table write counter 204 is equal to the storage write counter 108less the value, e.g., one, and the table commit counter 206 is equal tothe storage commit counter 110.

If (at block 503) the failure did not occur after incrementing thestorage write counter 108 without completing write table operations 403,then a determination is made (at block 504) whether the failure occurredafter completing the write table operations 404 and before completingthe file modification at blocks 409 and 410. The determination that thefailure occurred after completing the write table operations 404 andbefore committing the write at blocks 409 and 410 during a currentfailure or previous failure may be determined when the table commitcounter 206 is equal to the storage commit 110 counter plus the value,e.g., one, and either (1) the table write counter 204 is equal to thestorage write counter 108 or (2) the table write counter 204 is equal tothe storage write counter 108 less the value, e.g., one.

If (at block 504) the failure did not occur between completing the writetable operations 404 and committing the write at block 410, then that isnot a valid combination and control proceeds to block 505 to reset allthe storage counters 108, 110 and the entire table 200 because of thepossibility the failure and recovery could have been triggered by areplay attempt.

If (at block 504) the failure did occur between completing the writetable operations 404 and committing the write at block 410, then adetermination is made (at block 506) whether the failure occurred beforecompleting the set error state operations at block 509 during a previousfailure. The determination that the failure occurred while trying toperform the set error state operations 509 may be determined whendetermining that the modified file name 210 is null, which would be setif the set error state operations 509 succeeded. If (from the no blockat block 506) the failure occurred after the set error state operations509 completed, then the security manager 106 determines (at block 507)whether the file modification operation at block 409 in fact completed.This determination may be made by confirming whether the write counteror monotonic counter written with the file to the storage 104 matchesthe file write counter 304 maintained for the file entry 300 _(i) forthe file being modified, which in certain embodiments matches if thefile was written successfully.

If (at block 507) the file modify operation did not complete, then thesecurity manager 106 sets (at block 508) the file write counter 304 inthe entry 300, for the file to modify to a previous version of the filewrite counter 214 for the file to modify, to return the file writecounter 304 to the value before the failed update.

From the yes branch of block 503, the no branch of block 504, the yesbranch of block 506, the yes branch of block 507, and block 508 controlproceeds to block 509 to reinitialize counters and information. At block509, the security manager 106 performs set error state operations,including setting the table write 204 and commit 206 counters to thestorage write 108 and commit counters 110, respectively. The set errorstate operations may comprise atomic operations, such that they all mustcomplete for them to complete, else they fail if one of the set errorstate operations does not complete. After completing the set error stateoperations, the security manager 106 increments (at block 510) thestorage write counter 108 and increments (at block 511) the storagecommit counter 110. The table commit counter 206 is set (at block 512)to the storage commit counter 206 plus a value, e.g., one. After block512, the storage and table counters have been reinitialized to recoverfrom a failure if one occurred during the flow of the operations of FIG.4.

FIG. 6 illustrates a further embodiment of the write table operations ofblock 404 in FIG. 4 performed by the security engine 106, which maycomprise atomic operations. Upon initiating (at block 600) the writetable operations, the security manager 106 sets (at block 601) the tablewrite counter 204 to the storage write counter 108, sets (at block 602)the table commit counter 206 to the storage commit counter 110, sets (atblock 603) the file write counter 304 for the file indicated at field210 in the table 210 to the storage write counter 108, and saves thefile write counter 304 as the pre-modification file write counter 214.The security engine 106 further sets (at block 605) file operationparameters for the file that was being modified when the failureresulting in the recovery occurred, such as setting the modified filename 210 to the name of the file being modified, the modificationoperation type 212, e.g., create, delete, update, NULL, modificationtype, and table operation status 218 to success. The credits 208 areadjusted (at block 606) based on the table time last modified 210, thecurrent time according to the clock 112, and a credit adjustment ratethat may be specified by the storage device 100 manufacturer. In oneembodiment the credit adjustment may be calculated by determining adifference of the current clock 112 time and the table time lastmodified 216, and multiply that difference by the credit adjustmentrate, which specifies a credits to add for a unit of time. The tabletime last modified 216 is set (at block 607) to the current timeaccording to the protected real time clock 112 value.

FIG. 7 illustrates an embodiment of the set error state operations atblock 509 in

FIG. 5 performed by the security engine 106, which may comprise atomicoperations, where all operations must complete in order for the seterror state operations to complete. Upon initiating (at block 700) theset error state operations, the security engine 106 sets (at block 701)the table write counter 204 to the storage write counter 108, sets (atblock 702) the table commit counter 206 to the storage commit counter110, and sets (at block 703) the modified file name 210 to NULL. Thetable operation status 218 is set (at block 704) to failed. Theaccumulated credits 208 are adjusted (at block 705) by the number ofoperations required to perform the table write operations.

FIG. 8 illustrates an embodiment of a system 800 in which a non-volatilestorage device 802, such as storage device 100 of FIG. 1, may bedeployed. The system includes a processor 804 that communicates over abus 806 with a volatile memory device 808 in which programs, operandsand parameters being executed are cached and the non-volatile storagedevice 802, in which data and programs may be stored. The processor 800may also communicate with Input/Output (I/O) devices 810a, 810b, whichmay comprise input devices, display devices, graphics cards, ports,network interfaces, etc. The non-volatile storage device 802 may bemounted to the system enclosure 800, such as in a storage drive bay, orconnected to the system 800 through a port interface or over thenetwork.

It should be appreciated that reference throughout this specification to“one embodiment” or “an embodiment” means that a particular feature,structure or characteristic described in connection with the embodimentis included in at least one embodiment of the present invention.Therefore, it is emphasized and should be appreciated that two or morereferences to “an embodiment” or “one embodiment” or “an alternativeembodiment” in various portions of this specification are notnecessarily all referring to the same embodiment. Furthermore, theparticular features, structures or characteristics may be combined assuitable in one or more embodiments of the invention.

Similarly, it should be appreciated that in the foregoing description ofembodiments of the invention, various features are sometimes groupedtogether in a single embodiment, figure, or description thereof for thepurpose of streamlining the disclosure aiding in the understanding ofone or more of the various inventive aspects. This method of disclosure,however, is not to be interpreted as reflecting an intention that theclaimed subject matter requires more features than are expressly recitedin each claim. Rather, as the following claims reflect, inventiveaspects lie in less than all features of a single foregoing disclosedembodiment. Thus, the claims following the detailed description arehereby expressly incorporated into this detailed description.

The described operations of the security engine 106 may be implementedas a method, apparatus or computer readable storage medium usingstandard programming and/or engineering techniques to produce software,firmware, hardware, or any combination thereof. The described operationsmay be implemented as code or logic maintained in a “computer readablestorage medium”, which may directly execute the functions or where aprocessor may read and execute the code from the computer storagereadable medium. The computer readable storage medium includes at leastone of electronic circuitry, storage materials, inorganic materials,organic materials, biological materials, a casing, a housing, a coating,and hardware. A computer readable storage medium may comprise, but isnot limited to, a magnetic storage medium (e.g., hard disk drives,floppy disks, tape, etc.), optical storage (CD-ROMs, DVDs, opticaldisks, etc.), volatile and non-volatile memory devices (e.g., EEPROMs,ROMs, PROMs, RAMs, DRAMs, SRAMs, Flash Memory, firmware, programmablelogic, etc.), Solid State Devices (SSD), etc. The computer readablestorage medium may further comprise digital logic implemented in ahardware device (e.g., an integrated circuit chip, a programmable logicdevice, a Programmable Gate Array (PGA), field-programmable gate array(FPGA), Application Specific Integrated Circuit (ASIC), etc.). Stillfurther, the code implementing the described operations may beimplemented in “transmission signals”, where transmission signals maypropagate through space or through a transmission media, such as anoptical fiber, copper wire, etc. The transmission signals in which thecode or logic is encoded may further comprise a wireless signal,satellite transmission, radio waves, infrared signals, Bluetooth, etc.The program code embedded on a computer readable storage medium may betransmitted as transmission signals from a transmitting station orcomputer to a receiving station or computer. A computer readable storagemedium is not comprised solely of transmission signals, but includestangible components. Those skilled in the art will recognize that manymodifications may be made to this configuration without departing fromthe scope of the present invention, and that the article of manufacturemay comprise suitable information bearing medium known in the art.

The computer readable storage medium includes at least some hardwareelements and is not solely implemented as transmission signals.

EXAMPLES

The following examples pertain to further embodiments.

Example 1 is a system for protecting data in a storage device,comprising: a storage write counter; a storage commit counter; a tableincluding a table write counter and a table commit counter; a securityengine that when executed performs operations, the operationscomprising: initiating operations to modify a file; incrementing thestorage write counter in response to initiating the operations to modifythe file; in response to incrementing the storage write counter,initiating write table operations including setting the table writecounter to the storage write counter and setting the table commitcounter to the storage commit counter plus a value; performing theoperation to modify the file in response to completing the write tableoperations; and incrementing the system commit counter by the value inresponse to completing the operation to modify the file.

In Example 2, the subject matter of Example 1 can optionally includethat the operations further comprise: in response to a power cycleevent, determining whether the table write and commit counters are equalto the storage write and commit counters, respectively; determiningwhether a failure occurred while performing the operations to modify thefile before the file was modified in response to determining that thetable write and commit counters are equal to the storage write andcommit counters, respectively; and initiating set error state operationsto set the table write counter to the storage write counter and thetable commit counter to the storage commit counter in response to thedetermining the failure occurred while performing the operations tomodify the file and before the file was modified.

In Example 3, the subject matter of Example 1 and 2 can optionallyinclude that the operations further comprise: in response to completingsetting the error state operations, performing: incrementing the storagewrite counter; setting the table commit counter to the storage commitcounter; and incrementing the storage commit counter.

In Example 4, the subject matter of Examples 1-3 can optionally includethat the operations further comprise: setting the storage write andcommit counters, the table write and commit counters and other tableinformation in response to determining that the failure occurred afterthe file was modified.

In Example 5, the subject matter of Example 1-4 can optionally includethat the determining whether the failure occurred while performing theoperations to modify the file comprises determining whether the failureoccurred after incrementing the storage write counter and beforecompleting the write table operations.

In Example 6, the subject matter of Examples 1-5 can optionally includethat the determining the failure occurred after incrementing the storagewrite counter and before completing the write table operations comprisesdetermining that the table write counter is equal to the storage writecounter less the value and the table commit counter is equal to thestorage commit counter.

In Example 7, the subject matter of Examples 2-6 can optionally includethat the determining whether the failure occurred while performing theoperations to modify the file comprises determining whether the failureoccurred after completing the write table operations and beforecompleting the modification of the file during a current failure duringwhich the table write counter was incremented or during a previousfailure when the table write counter was not incremented during thecurrent failure

In Example 8, the subject matter of Examples 2-7 can optionally includethat the determining whether the failure occurred after the write tableoperations are completed comprises: determining that the table commitcounter is equal to the storage commit counter plus the value and one ofthat the table write counter is equal to the storage write counter andthe table write counter is equal to the storage write counter less thanthe value.

In Example 9, the subject matter of Examples 2-8 can optionally includethat the operations further comprise: determining whether the failureoccurred while performing the set error state in response to determiningthat the failure did not occur while performing the operations to modifythe file; and performing the set error state operations in response todetermining that the failure occurred while performing the set errorstate operations.

In Example 10, the subject matter of Examples 2-9 can optionally includethat the determining whether the failure occurred while performing theoperations to modify the file further comprises: determining whether theerror state operations completed during a previous failure; performingthe error state operations in response to determining the error stateoperations completed the previous failure; in response to determiningthe error state operations completed during the previous failure,determining whether the file was successfully modified; performing theerror state operations in response to determining the file wassuccessfully modified; and setting a file write counter for the file tomodify to a previous version of the file write counter for the file tomodify in response to determining that the file was not successfullymodified.

In Example 11, the subject matter of Examples 2-10 can optionallyinclude that the operations further comprise: determining whether thereare a sufficient number of credits to perform the operations to modifythe file, wherein the operations to modify the file are only performedif there are the sufficient number of credits; wherein the write tableoperations further include determining a credit adjustment based on atime the table was last modified and updating the credits with thedetermined credit adjustment.

In Example 12, the subject matter of Examples 2-11 can optionallyinclude that the write table operations comprise atomic operations thatmust all complete to succeed, and further include: indicating the fileto modify; setting a pre-modification write counter to a current valueof a write counter for the file; setting the write counter of the fileto the storage write counter; adjusting credits based on a table timelast modified and a current time; and setting the table time lastmodified to the current time after adjusting the credits.

In Example 13, the subject matter of Examples 2-12 can optionallyinclude that the system comprises a flash memory device including thesecurity engine and the storage device.

In Example 14, the subject matter of Examples 2-12 can optionallyinclude that the table includes a file entry for each file in thestorage device to protect, wherein each of the file entries include awrite counter set to the system counter when the during the write tableoperations.

Example 15 is a memory controller coupled to a storage device to protectdata in the storage device, comprising: a storage write counter; astorage commit counter; a table including a table write counter and atable commit counter; a security engine that when executed performsoperations, the operations comprising: initiating operations to modify afile; incrementing the storage write counter in response to initiatingthe operations to modify the file; in response to incrementing thestorage write counter, initiating write table operations includingsetting the table write counter to the storage write counter and settingthe table commit counter to the storage commit counter plus a value;performing the operation to modify the file in response to completingthe write table operations; and incrementing the system commit counterby the value in response to completing the operation to modify the file.

In Example 16, the subject matter of Example 15 can optionally includethat the operations further comprise: in response to a power cycleevent, determining whether the table write and commit counters are equalto the storage write and commit counters, respectively; determiningwhether a failure occurred while performing the operations to modify thefile before the file was modified in response to determining that thetable write and commit counters are equal to the storage write andcommit counters, respectively; and initiating set error state operationsto set the table write counter to the storage write counter and thetable commit counter to the storage commit counter in response to thedetermining the failure occurred while performing the operations tomodify the file and before the file was modified.

In Example 17, the subject matter of Examples 15-16 can optionallyinclude that the operations further comprise: in response to completingsetting the error state operations, performing: incrementing the storagewrite counter; setting the table commit counter to the storage commitcounter; and incrementing the storage commit counter.

In Example 18, the subject matter of Examples 15-17 can optionallyinclude that the determining whether the failure occurred whileperforming the operations to modify the file comprises determiningwhether the failure occurred after incrementing the storage writecounter and before completing the write table operations.

In Example 19, the subject matter of Examples 15-18 can optionallyinclude that the determining whether the failure occurred whileperforming the operations to modify the file comprises determiningwhether the failure occurred after completing the write table operationsand before completing the modification of the file during a currentfailure during which the table write counter was incremented or during aprevious failure when the table write counter was not incremented duringthe current failure.

Example 20 is a method for protecting data in a storage device,comprising: initiating operations to modify a file in the storagedevice; incrementing a storage write counter in response to initiatingthe operations to modify the file; in response to incrementing thestorage write counter, initiating write table operations includingsetting a table write counter to a storage write counter and setting atable commit counter to the storage commit counter plus a value;performing the operation to modify the file in response to completingthe write table operations; and incrementing the system commit counterby the value in response to completing the operation to modify the file.

In Example 21, the subject matter of Example 20 can optionally includethat in response to a power cycle event, determining whether the tablewrite and commit counters are equal to the storage write and commitcounters, respectively; determining whether a failure occurred whileperforming the operations to modify the file before the file wasmodified in response to determining that the table write and commitcounters are equal to the storage write and commit counters,respectively; and initiating set error state operations to set the tablewrite counter to the storage write counter and the table commit counterto the storage commit counter in response to the determining the failureoccurred while performing the operations to modify the file and beforethe file was modified.

In Example 22, the subject matter of Examples 20-21 can optionallyinclude that the operations further comprise: in response to completingsetting the error state operations, performing: incrementing the storagewrite counter; setting the table commit counter to the storage commitcounter; and incrementing the storage commit counter.

In Example 23, the subject matter of Examples 20-22 can optionallyinclude that the determining whether the failure occurred whileperforming the operations to modify the file comprises determiningwhether the failure occurred after incrementing the storage writecounter and before completing the write table operations.

In Example 24, the subject matter of Examples 20-23 can optionallyinclude that the determining whether the failure occurred whileperforming the operations to modify the file comprises determiningwhether the failure occurred after completing the write table operationsand before completing the modification of the file during a currentfailure during which the table write counter was incremented or during aprevious failure when the table write counter was not incremented duringthe current failure.

In Example 25, the subject matter of Examples 20-24 can optionallyinclude that the write table operations comprise atomic operations thatmust all complete to succeed, and further include: indicating the fileto modify; setting a pre-modification write counter to a current valueof a write counter for the file; setting the write counter of the fileto the storage write counter; adjusting credits based on a table timelast modified and a current time; and setting the table time lastmodified to the current time after adjusting the credits.

In Example 26, the subject matter of Example 20 can optionally includeat least one step of: (1) in response to a power cycle event,determining whether the table write and commit counters are equal to thestorage write and commit counters, respectively; determining whether afailure occurred while performing the operations to modify the filebefore the file was modified in response to determining that the tablewrite and commit counters are equal to the storage write and commitcounters, respectively; and initiating set error state operations to setthe table write counter to the storage write counter and the tablecommit counter to the storage commit counter in response to thedetermining the failure occurred while performing the operations tomodify the file and before the file was modified; and/or (2) in responseto completing setting the error state operations, performing:incrementing the storage write counter; setting the table commit counterto the storage commit counter; and incrementing the storage commitcounter; and/or (3) setting the storage write and commit counters, thetable write and commit counters and other table information in responseto determining that the failure occurred after the file was modified;and/or (4) wherein the determining whether the failure occurred whileperforming the operations to modify the file comprises determiningwhether the failure occurred after incrementing the storage writecounter and before completing the write table operations; and/or (5)wherein determining the failure occurred after incrementing the storagewrite counter and before completing the write table operations comprisesdetermining that the table write counter is equal to the storage writecounter less the value and the table commit counter is equal to thestorage commit counter; and/or (6) wherein the determining whether thefailure occurred while performing the operations to modify the filecomprises determining whether the failure occurred after completing thewrite table operations and before completing the modification of thefile during a current failure during which the table write counter wasincremented or during a previous failure when the table write counterwas not incremented during the current failure; and/or (7) wherein thedetermining whether the failure occurred after the write tableoperations are completed comprises: determining that the table commitcounter is equal to the storage commit counter plus the value and one ofthat the table write counter is equal to the storage write counter andthe table write counter is equal to the storage write counter less thanthe value; and/or; (8) determining whether the failure occurred whileperforming the set error state in response to determining that thefailure did not occur while performing the operations to modify thefile; and performing the set error state operations in response todetermining that the failure occurred while performing the set errorstate operations; and/or (9) wherein the determining whether the failureoccurred while performing the operations to modify the file furthercomprises: determining whether the error state operations completedduring a previous failure; performing the error state operations inresponse to determining the error state operations completed theprevious failure; in response to determining the error state operationscompleted during the previous failure, determining whether the file wassuccessfully modified; performing the error state operations in responseto determining the file was successfully modified; and setting a filewrite counter for the file to modify to a previous version of the filewrite counter for the file to modify in response to determining that thefile was not successfully modified; and/or (10) determining whetherthere are a sufficient number of credits to perform the operations tomodify the file, wherein the operations to modify the file are onlyperformed if there are the sufficient number of credits; wherein thewrite table operations further include determining a credit adjustmentbased on a time the table was last modified and updating the creditswith the determined credit adjustment; and/or (11) wherein the writetable operations comprise atomic operations that must all complete tosucceed, and further include: indicating the file to modify; setting apre-modification write counter to a current value of a write counter forthe file; setting the write counter of the file to the storage writecounter; adjusting credits based on a table time last modified and acurrent time; and setting the table time last modified to the currenttime after adjusting the credits; and/or (12) wherein the systemcomprises a flash memory device including the security engine and thestorage device; and/or; (13) wherein the table includes a file entry foreach file in the storage device to protect, wherein each of the fileentries include a write counter set to the system counter when theduring the write table operations.

Example 27 is an apparatus coupled to a storage device to protect datain the storage device, comprising: means for initiating operations tomodify a file; means for incrementing a storage write counter inresponse to initiating the operations to modify the file; means forinitiating write table operations including setting a table writecounter to the storage write counter and setting a table commit counterto the storage commit counter plus a value in response to incrementingthe storage write counter; means for performing the operation to modifythe file in response to completing the write table operations; and meansfor incrementing the system commit counter by the value in response tocompleting the operation to modify the file.

Example 28 is an apparatus comprising means to perform a method asclaimed in any preceding claim.

Example 29 is a machine-readable storage including machine-readableinstructions, when executed, to implement a method or realize anapparatus or system as claimed in any preceding claim.

1-25. (canceled)
 26. A system for protecting data in a storage device,comprising: a first counter; a second counter; a security engineexecuted to: initiate an operation to modify a file; update a firstcounter and second counter to have different values, wherein the secondcounter has a greater value than the first counter perform the operationto modify the file in response to updating the first and the secondcounters; and use the first and second counters to determine whether toallow writes to proceed to files in response to a power-on event. 27.The system of claim 26, wherein the update the first counter and secondcounter sets the first counter to a number of initiated writes and setsthe second counter to a number of completed writes plus a value.
 28. Thesystem of claim 27, wherein the determine whether to allow the writes toproceed determines to allow the writes to proceed if the first counterequals the number of initiated writes and the second counter equals thenumber of completed writes.
 29. The system of claim 28, wherein thesecurity engine is further executed to: determine whether a failureoccurred after incrementing the number of initiated writes withoutupdating the first and second counters in response to determining thatthe first counter does not equal the number of initiated writes or thesecond counter does not equal the number of completed write operations;and initiate set error state operations to set the first counter to thenumber of initiated writes and the second counter to the number ofcompleted writes in response to determining that a failure occurredafter incrementing the number of initiated writes without updating thefirst and second counters.
 30. The system of claim 29, wherein the seterror state operations further increment the number of initiated writesand the number of completed writes and sets the second counter to thenumber of completed writes plus a value.
 31. The system of claim 26,wherein the security engine is further executed to: update credits basedon a time the first and second counters were last modified and a currenttime; and determine whether there are a sufficient number of credits inorder to modify the file, wherein the modify the file is only performedif there are the sufficient number of credits.
 32. The system of claim31, wherein the update the first and second counters and the update thecredits comprise an atomic operation.
 33. The system of claim 26,wherein the first and second counters are implemented in hardware of thestorage device.
 34. The system of claim 26, wherein the system comprisesa flash memory device including the security engine and the storagedevice.
 35. A memory controller coupled to a storage device to protectdata in the storage device, comprising: a first counter; a secondcounter; a security engine executed to: initiate an operation to modifya file; update a first counter and second counter to have differentvalues, wherein the second counter has a greater value than the firstcounter perform the operation to modify the file in response to updatingthe first and the second counters; and use the first and second countersto determine whether to allow writes to proceed to files in response toa power-on event.
 36. The memory controller of claim 35, wherein theupdate the first counter and second counter sets the first counter to anumber of initiated writes and sets the second counter to a number ofcompleted writes plus a value.
 37. The memory controller of claim 36,wherein the determine whether to allow the writes to proceed determinesto allow the writes to proceed if the first counter equals the number ofinitiated writes and the second counter equals the number of completedwrites.
 38. The memory controller of claim 37, wherein the securityengine is further executed to: determine whether a failure occurredafter incrementing the number of initiated writes without updating thefirst and second counters in response to determining that the firstcounter does not equal the number of initiated writes or the secondcounter does not equal the number of completed write operations; andinitiate set error state operations to set the first counter to thenumber of initiated writes and the second counter to the number ofcompleted writes in response to determining that a failure occurredafter incrementing the number of initiated writes without updating thefirst and second counters.
 39. The memory controller of claim 38,wherein the set error state operations further increment the number ofinitiated writes and the number of completed writes and sets the secondcounter to the number of completed writes plus a value.
 40. The memorycontroller of claim 35, wherein the security engine is further executedto: update credits based on a time the first and second counters werelast modified and a current time; and determine whether there are asufficient number of credits to perform the operations to modify thefile, wherein the modify the file is only performed if there are thesufficient number of credits.
 41. The memory controller of claim 40,wherein the update the first and second counters and the update thecredits comprise an atomic operation.
 42. The memory controller of claim35, wherein the first and second counters are implemented in hardware ofthe storage device.
 43. A method for protecting data in a storagedevice, comprising: initiating an operation to modify a file; updating afirst counter and second counter to have different values, wherein thesecond counter has a greater value than the first counter performing theoperation to modify the file in response to updating the first and thesecond counters; and using the first and second counters to determinewhether to allow writes to proceed to files in response to a power-onevent.
 44. The method of claim 43, wherein the updating the firstcounter and second counter sets the first counter to a number ofinitiated writes and sets the second counter to a number of completedwrites plus a value.
 45. The method of claim 44, wherein the determiningwhether to allow the writes to proceed determines to allow the writes toproceed if the first counter equals the number of initiated writes andthe second counter equals the number of completed writes.
 46. The methodof claim 45, further comprising: determining whether a failure occurredafter incrementing the number of initiated writes without updating thefirst and second counters in response to determining that the firstcounter does not equal the number of initiated writes or the secondcounter does not equal the number of completed write operations; andinitiating set error state operations to set the first counter to thenumber of initiated writes and the second counter to the number ofcompleted writes in response to determining that a failure occurredafter incrementing the number of initiated writes without updating thefirst and second counters.
 47. The method of claim 46, wherein the seterror state operations further increment the number of initiated writesand the number of completed writes and sets the second counter to thenumber of completed writes plus a value.
 48. The method of claim 43,further comprising: updating credits based on a time the first andsecond counters were last modified and a current time; and determiningwhether there are a sufficient number of credits to perform theoperations to modify the file, wherein the modify the file is onlyperformed if there are the sufficient number of credits.
 49. The methodof claim 48, wherein the updating the first and second counters and theupdate the credits comprise an atomic operation.
 50. The method of claim43, wherein the first and second counters are implemented in hardware ofthe storage device.